Kingsley,
Actually. ARP ACL's do not work in conjunction with Snooping. They are specifically for environments without DHCP. The DHCP snooping database is not checked as a precursor to the ACL. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Wednesday, March 31, 2010 8:11 AM To: [email protected] Subject: [OSL | CCIE_Security] ARP access-list with static Hi all As any other access-list, arp access-list also has an implicit deny any any at the end and hence, even if there is a dhcp snooping entry, the ARP packet will be dropped, if there is no entry in the access-list. As per the notes from Cisco given below, the implicit deny deny will be activated only when the "static" keyword is configured. I have a arp access-list with no entry and have applied to the vlan. Even without the "static" keyword, the ARP packets are dropped though I have a dhcp snooping binding available. Any thoughts? ip arp inspection filter vlan To permit ARPs from hosts that are configured for static IP when DAI is enabled and to define an ARP access list and apply it to a VLAN, use the ip arp inspection filter vlan command in global configuration mode. To disable this application, use the no form of this command. ip arp inspection filter arp-acl-name vlan vlan-range [static] no ip arp inspection filter arp-acl-name vlan vlan-range [static] Syntax Description arp-acl-name Access control list name. vlan-range VLAN number or range; valid values are from 1 to 4094. static (Optional) Treats implicit denies in the ARP ACL as explicit denies and drops packets that do not match any previous clauses in the ACL With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
